CIVI-SA-2024-07: Symbolic Link Cleanup

Pubblicato
2024-10-16 12:00
Written by

The helper function CRM_Utils_File::cleanDir() is used to cleanup certain data folders. In some situations, it might be tricked into deleting additional files outside of the target directory.

Security Risk
Moderately Critical
Vulnerability
Other
Affected Versions

CiviCRM versions 5.78.1 and earlier

Fixed Versions

CiviCRM versions 5.78.2 and 5.75.4 (ESR)

Publication Date
Solutions

Upgrade to the latest CiviCRM Version

Credits
  • Reporter: Sebastian Lisken of civiservice.de
  • Development/Review: Sebastian Lisken of civiservice.de; Tim Otten of CiviCRM; Dave D; Seamus Lee of JMA Consulting & CiviCRM; Kevin Cristiano of Tadpole Collective
References

security/core#136